You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/overview-access-restrictions.md
+27-18Lines changed: 27 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,47 +29,56 @@ Site access restrictions let you filter the incoming requests. Site access restr
29
29
30
30
Site access restriction has several types of rules that you can apply:
31
31
32
-
### IP-based restriction rules
32
+
### IP-based access restriction rules
33
33
34
34
The IP-based access restrictions feature helps when you want to restrict the IP addresses that can be used to reach your app. Both IPv4 and IPv6 are supported. Some use cases for this feature:
35
+
35
36
* Restrict access to your app from a set of well-defined addresses.
36
37
* Restrict access to traffic coming through an external load-balancing service or other network appliances with known egress IP addresses.
37
38
38
-
To learn how to enable this feature, see [Configuring access restrictions][iprestrictions].
39
+
To learn how to enable this feature, see [Configuring access restrictions](./app-service-ip-restrictions.md).
39
40
40
41
> [!NOTE]
41
42
> IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multi-tenant service, you need to use [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) to restrict traffic to select subnets in your virtual network.
42
43
43
-
### Restriction rules based on service endpoints
44
+
### Access restriction rules based on service endpoints
44
45
45
46
Service endpoints allow you to lock down *inbound* access to your app so that the source address must come from a set of subnets that you select. This feature works together with IP access restrictions. Service endpoints aren't compatible with remote debugging. If you want to use remote debugging with your app, your client can't be in a subnet that has service endpoints enabled. The process for setting service endpoints is similar to the process for setting IP access restrictions. You can build an allow/deny list of access rules that includes public addresses and subnets in your virtual networks.
46
47
47
48
> [!NOTE]
48
-
> Access restriction rules based on service endpoints are not supported on apps that use IP-based SSL ([App-assigned address](#app-assigned-address)).
49
+
> Access restriction rules based on service endpoints are not supported on apps that use IP-based SSL ([App-assigned address](./networking-features.md#app-assigned-address)).
50
+
51
+
To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions](../virtual-network/virtual-network-service-endpoints-overview.md).
49
52
50
-
Some use cases for this feature:
53
+
### Access restriction rules based on service tags
51
54
52
-
* Set up an application gateway with your app to lock down inbound traffic to your app.
53
-
* Restrict access to your app to resources in your virtual network. These resources can include VMs, ASEs, or even other apps that use virtual network integration.
55
+
[Azure service tags](../virtual-network/service-tags-overview.md) are well defined sets of IP addresses for Azure services. Service tags group the IP ranges used in various Azure services and is often also further scoped to specific regions. This allows you to filter *inbound* traffic from specific Azure services.
54
56
55
-
57
+
For a full list of tags and more information, visit the service tag link above.
58
+
To learn how to enable this feature, see [Configuring access restrictions](./app-service-ip-restrictions.md).
56
59
57
-
To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions][serviceendpoints].
60
+
### Advanced access restriction rule types
58
61
59
-
###Restriction rules based on service tags
62
+
#### Any service endpoint source
60
63
61
-
[Azure service tags][servicetags] are well defined sets of IP addresses for Azure services. Service tags group the IP ranges used in various Azure services and is often also further scoped to specific regions. This allows you to filter *inbound* traffic from specific Azure services.
64
+
For testing or in very specific scenarios, you may want to allow traffic from any service endpoint enabled subnet. You can do that by defining an IP-based rule with the text "AnyVnets" instead of an IP range. You cannot create these rules in the portal, but you can modify an existing IP-based rule and replace the IP address with the "AnyVnets" string.
62
65
63
-
For a full list of tags and more information, visit the service tag link above.
64
-
To learn how to enable this feature, see [Configuring access restrictions][iprestrictions].
66
+
#### Multi-source rules
67
+
68
+
Multi-source rules allow you to combine up to eight IP ranges or eight Service Tags in a single rule. You might use this if you have more than 512 IP ranges or you want to create logical rules where multiple IP ranges are combined with a single http header filter.
69
+
70
+
Multi-source rules are defined the same way you define single-source rules, but with each range separated with comma.
71
+
72
+
You cannot create these rules in the portal, but you can modify an existing service tag or IP-based rule and add additional sources to the rule.
65
73
66
74
#### Http header filtering for site access restriction rules
67
75
68
-
For each rule, you can add additional http header filtering. This allows you to further inspect the incoming request and filter based on specific http header values. Each header can have up to eight values per rule. The following list of http headers is currently supported:
69
-
* X-Forwarded-For
70
-
* X-Forwarded-Host
71
-
* X-Azure-FDID
72
-
* X-FD-HealthProbe
76
+
For any rule, regardless of type, you can add additional http header filtering. This allows you to further inspect the incoming request and filter based on specific http header values. Each header can have up to eight values per rule. The following lists the supported http headers:
77
+
78
+
***X-Forwarded-For**. [Standard header](https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Forwarded-For) for identifying the originating IP address of a client connecting through a proxy server. Accepts valid CIDR values.
79
+
***X-Forwarded-Host**. [Standard header](https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Forwarded-Host) for identifying the original host requested by the client. Accepts any string up to 64 characters in length.
80
+
***X-Azure-FDID**. [Custom header](../frontdoor/front-door-http-headers-protocol.md#front-door-to-backend) for identifying the proxy host. Azure Front Door will send a guid identifying the instance, but it can also be used by 3rd party proxies to identify the specific instance. Accepts any string up to 64 characters in length.
81
+
***X-FD-HealthProbe**. [Custom header](../frontdoor/front-door-http-headers-protocol.md#front-door-to-backend) for identifying the health probe of the proxy backend. Azure Front Door will send "1" to uniquely identify a health probe request. The header can also be used by 3rd party proxies to identify health probes. Accepts any string up to 64 characters in length.
73
82
74
83
Some use cases for http header filtering are:
75
84
* Restrict access to traffic from proxy servers forwarding the host name
0 commit comments